Security, Confidentiality and Legal Issues (SCLIM)

Background notes for session 7 - Computer security

As well as the notes here, see also the notes I produced for another course.

Physical security

1. How do you prevent unauthorised people from
• tampering with your computer
• stealing your computer
thereby causing loss of data or loss of service?
2. How do you prevent accidents ruining your business?

• Access to buildings
• Identification of people

• Fire/flood prevention

• Backup copies

Contingency planning

Threat analysis

Attack Trees, Dr. Dobb's Journal December 1999, Modeling security threats, By Bruce Schneier (http://www.ddj.com/documents/s=896/ddj9912a/9912a.htm)

Insurance

[See Tony Elbra, Security Review Manual, NCC Publications, 1986]

A long bibliography is available at http://www.finor.com/en/secubook.htm.

How to choose a good password. Advice from the (US) National Security Institute can be found at http://nsi.org/Library/Compsec/goodpass.html. And how to choose a bad password? See http://feynman.physics.lsa.umich.edu/~myers/Passwords.html!

dongle [from http://wombat.doc.ic.ac.uk/foldoc/foldoc.cgi?query=dongle]

/dong'gl/ 1. A security or copy protection device for commercial microcomputer programs consisting of a serialised EPROM and some drivers in a D-25 connector shell, which must be connected to an I/O port of the computer while the program is run. Programs that use a dongle query the port at startup and at programmed intervals thereafter, and terminate if it does not respond with the dongle's programmed validation code. Thus, users can make as many copies of the program as they want but must pay for each dongle. The idea was clever, but it was initially a failure, as users disliked tying up a serial port this way. Almost all dongles on the market today (1993) will pass data through the port and monitor for magic codes (and combinations of status lines) with minimal if any interference with devices further down the line - this innovation was necessary to allow daisy-chained dongles for multiple pieces of software. The devices are still not widely used, as the industry has moved away from copy-protection schemes in general. 2. By extension, any physical electronic key or transferable ID required for a program to function. Common variations on this theme have used parallel or even joystick ports. See dongle-disk.

[Note: in early 1992, advertising copy from Rainbow Technologies (a manufacturer of dongles) included a claim that the word derived from "Don Gall", allegedly the inventor of the device. The company's receptionist will cheerfully tell you that the story is a myth invented for the ad copy. Nevertheless, I expect it to haunt my life as a lexicographer for at least the next ten years. - ESR]

Keeping track of whom does what to your data.

The Computer Audit Specialist Group (CASG) of the BCS: http://www.bcs.org.uk/siggroup/casghme.htm

Ensuring that your data is up-to-date and consistent.

Data quality.

Total Data Quality Management at MIT: http://web.mit.edu/TDQM/.